Filtered by vendor Oracle
Subscriptions
Filtered by product Retail Xstore Point Of Service
Subscriptions
Total
125 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-39139 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2021-39141 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2021-39145 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2021-39147 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2021-39140 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 6.5 Medium |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2021-39149 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2021-39151 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2021-39146 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2021-39148 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2021-39150 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18. | ||||
| CVE-2021-39152 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18. | ||||
| CVE-2021-39154 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2025-05-23 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||
| CVE-2019-10173 | 3 Oracle, Redhat, Xstream | 15 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 12 more | 2025-05-14 | 9.8 Critical |
| It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) | ||||
| CVE-2018-1000180 | 5 Bouncycastle, Debian, Netapp and 2 more | 24 Bc-java, Fips Java Api, Debian Linux and 21 more | 2025-05-12 | N/A |
| Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. | ||||
| CVE-2018-1000613 | 4 Bouncycastle, Netapp, Opensuse and 1 more | 24 Bc-java, Oncommand Workflow Automation, Leap and 21 more | 2025-05-12 | 9.8 Critical |
| Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later. | ||||
| CVE-2019-17359 | 4 Apache, Bouncycastle, Netapp and 1 more | 21 Tomee, Bc-java, Active Iq Unified Manager and 18 more | 2025-05-12 | 7.5 High |
| The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. | ||||
| CVE-2019-0227 | 2 Apache, Oracle | 37 Axis, Agile Engineering Data Management, Agile Product Lifecycle Management and 34 more | 2025-05-08 | 7.5 High |
| A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue. | ||||
| CVE-2018-8032 | 3 Apache, Debian, Oracle | 38 Axis, Debian Linux, Agile Engineering Data Management and 35 more | 2025-05-08 | 6.1 Medium |
| Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. | ||||
| CVE-2020-10673 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 38 more | 2025-05-01 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | ||||
| CVE-2020-35728 | 5 Debian, Fasterxml, Netapp and 2 more | 42 Debian Linux, Jackson-databind, Service Level Manager and 39 more | 2025-05-01 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). | ||||